To Legislate or Not to Legislate; That is the Question

Why is the role of cyber insurance becoming more than simply a financial instrument to transfer risk?

In my blog from last week, I set out the reasons for why cyber insurance demand is skyrocketing and will continue to do so. A risk transfer strategy as part of an overall enterprise approach to cyber security has rapidly become indisputable. However, the insurance industry is beginning to understand that it has an important and wider role to play. Why?

Two weeks ago something significant happened in Congress. After much delay and hours of wrangling the Senate finally passed “The Cybersecurity Information Sharing Act,” or CISA as it is commonly known. This will now go to Congress with two similar bills in the House before final legislation is passed. This is very positive news.

Sharing cyber security threat information between companies in the private sector – and with the government – is an important means of creating an early warning system against incoming attacks. Companies will also be able to learn about specific attack vectors, the vulnerabilities that they exploit and patch or prepare before it is too late.

However, further legislation that attempts to create cyber security standards that companies must meet is very unlikely to work for two reasons:

Where do you set the bar for a large publicly traded company with significant resources versus the small business with no CISO or IT department?

Boardrooms tend to view standards as a compliance exercise at a time when cyber security must be viewed as an investment where no investment can be enough.

“The market can drive incentives for companies to invest in and improve cyber security resilience”Tweet This

I am not advocating for no regulation, but more than 80 percent of US critical infrastructure is owned by the private sector and it is the market itself that can do more than anything else to address the cyber domain challenge. The market can drive incentives for companies to invest in and improve cyber security resilience and arguably there is no greater financial incentive than insurance.

As part of the roll out of the NIST framework the federal government understood this as framework adoption is voluntary and not mandated. Insurers can reward a strong cyber security posture through lower premium and self-insured retentions or broader coverage.

The cyber insurance market remains constrained today, held back by a lack of actuarial data to model risk and is investing heavily in meeting this challenge. However, the good news is that market approach is already starting to work. Companies with payment card data who meet PCI, (Payment Card Industry), standards are now finding they must do more to obtain insurance, investing in end to end encryption or tokenization for example.

Expect this approach to evolve further as insurers develop greater technical and analytics capability over the coming years.